Full Report
Treasure DAO was the largest NFT marketplace Arbritrum. Recently, it was hacked. But how? The function buyItem() can be used to purchase existing listings to be bought for no fee on the NFT platform. The function signature is buyItem(nftAddress, tokenId, owner, quantity). There is no validation that the quantity parameter is NOT zero. When multiplying the per-item price with the quantity, providing a zero would result in a cost of zero. From reading the source code of the application right before the bug fix at here, it appears that the NFT transfer was a full NFT. The quantity was NOT use on ERC721 but only used on ERC1155. The quantity item feels a little weird in this context. Overall, interesting input validation finding!
Analysis Summary
# Incident Report: Treasure DAO NFT Marketplace Exploitation
## Executive Summary
Treasure DAO, the largest NFT marketplace on the Arbitrum network, suffered an exploit due to a critical input validation vulnerability in its smart contract. An attacker utilized a zero-quantity parameter flaw to purchase numerous NFTs for a total cost of zero. The incident resulted in the theft of over 100 high-value NFTs before the marketplace was paused to prevent further loss.
## Incident Details
- **Discovery Date:** March 2022
- **Incident Date:** March 2022
- **Affected Organization:** Treasure DAO
- **Sector:** Decentralized Finance (DeFi) / NFT Marketplace
- **Geography:** Global / Distributed
## Timeline of Events
### Initial Access
- **Date/Time:** March 2022
- **Vector:** Exploitation of unvalidated input in the `buyItem()` function.
- **Details:** The attacker targeted the smart contract’s logic which handled both ERC-721 and ERC-1155 tokens. By calling `buyItem` with a quantity of zero, the attacker bypassed payment requirements.
### Lateral Movement
- **N/A:** As this was a smart contract exploit, traditional lateral movement through a corporate network did not occur. The attacker moved "horizontally" across different NFT listings within the platform to drain assets.
### Data Exfiltration/Impact
- **Details:** The attacker successfully "purchased" approximately 100+ NFTs (predominantly from the Smol Brains and Legions collections) for 0 MAGIC (the native token).
### Detection & Response
- **Detection:** On-chain monitoring and community reports of "free" purchases flagged the anomaly.
- **Response Actions:** The Treasure DAO team officially paused the marketplace and associated smart contracts to prevent the attacker from draining the entire inventory.
## Attack Methodology
- **Initial Access:** Smart Contract Vulnerability ( CWE-20: Improper Input Validation).
- **Persistence:** On-chain transactions (irreversible once confirmed).
- **Privilege Escalation:** Logic exploit allowed the user to bypass the "buyer" role's financial obligations.
- **Defense Evasion:** Use of multiple transactions to quickly drain assets before manual intervention.
- **Discovery:** On-chain reconnaissance of the `buyItem(nftAddress, tokenId, owner, quantity)` function signature.
- **Impact:** Financial loss and unauthorized asset transfer via a "Zero-Quantity" exploit.
## Impact Assessment
- **Financial:** Multi-million dollar loss in NFT floor value at the time of the exploit (estimated 100+ high-value NFTs).
- **Data Breach:** None (non-custodial platform).
- **Operational:** Marketplace was shut down for several hours/days for patching and remediation.
- **Reputational:** Significant temporary impact on trust within the Arbitrum ecosystem, though mitigated by proactive recovery efforts.
## Indicators of Compromise
- **Behavioral indicators:** Transactions calling the `buyItem` function where the `quantity` parameter is set to `0`.
- **Contract interaction:** Sudden spike in "0 cost" transfers on the Arbiscan block explorer.
## Response Actions
- **Containment:** Development team triggered the "Pause" mechanism on the marketplace smart contracts.
- **Eradication:** Patched the underlying logic flaw by implementing a requirement that `quantity` must be greater than zero.
- **Recovery:** Social engineering/negotiation with the exploiter and community-led efforts to return stolen assets; many assets were eventually returned to the DAO.
## Lessons Learned
- **Key Takeaways:** Input validation is critical even in high-level smart contract functions. Logic that bridges different token standards (ERC-721 vs. ERC-1155) requires distinct handling pipelines.
- **What could have been done better:** Comprehensive audits specifically focusing on edge-case inputs (zero values) during the development lifecycle.
## Recommendations
- **Rigorous Input Validation:** Ensure all parameters, specifically `quantity` and `price`, are checked against minimum bounds (e.g., `require(quantity > 0)`).
- **Unit Testing:** Implement edge-case testing for all public and external functions involving financial transfers.
- **Audit Requirement:** Subject all marketplace contract updates to third-party security audits before deployment to mainnet.